NETWORK SECURITYx - MetaLab

homuskratΔίκτυα και Επικοινωνίες

20 Νοε 2013 (πριν από 3 χρόνια και 8 μήνες)

79 εμφανίσεις

NETWORK SECURITY

ADD ON NOTES

MMD © Oct2012

IMPLEMENTATION


Enable Passwords On Cisco Routers Via Enable
Password And Enable Secret


Access Control Lists (ACLs)


How to Prevent Denial of Service Attacks


How Kerberos Authentication Works



Enable Passwords On Cisco Routers Via
Enable Password And Enable Secret


The two most basic of passwords a Cisco router can
provide support for is the



enable password


command


enable secret

command.


Depending on the IOS version, administrators will likely
only need to setup the

enable secret

command.

ACLs



Access Control Lists (ACLs) allow a router to
permit
or
deny

packets based on a variety of criteria.


Three basic steps to configure Standard Access List

1.
Use the access
-
list global configuration command to create
an entry in a standard ACL.

2.
Use the interface configuration command to select an
interface to which to apply the ACL.

3.
Use the ip access
-
group interface configuration command to
activate the existing ACL on an interface.


ACLs


With Access Lists you will have a variety of uses for the
wild card masks:


Match a specific host,


Match an entire subnet,


Match an IP range, or


Match Everyone and anyone


How to Prevent Denial of Service
Attacks


The denial of service
(
DoS
) attack
is statistically the most
used malicious attack out of them all
.


Literally anyone can bring down a website with a simple
command prompt. The question is
-

how do you protect
against an attack that can cripple your network or
website in a matter of minutes
?


If you are going to protect against an attack, you first have
to know how it works.


You
must familiarize yourself with the different variations,
methods, and plans of attacks that hackers use.


There
are at least seven different classifications of
(
DoS
)
attacks
known today.

DoS: Ping Flood


The most basic of attacks is the ping flood attack.


It relies on the ICMP echo command, more popularly
known as ping .


In legitimate situations the ping command is used by
network administrators to test connectivity between two
computers.


In the ping flood attack, it is used to flood large amounts
of data packets to the victim’s computer in an attempt to
overload it.

DoS: Ping Flood


Two Exploitable Commands Using Ping


The


n

command tells the prompt to send the request a
specified amount of times. The default is four packets, but we
sent five.


The


l

command tells the prompt how much data to send
for each packet. The maximum is 65,500 bytes, while the
default is just 32.



DoS: Ping Flood


This type of attack is generally useless on larger networks
or websites.


because only one computer is being used to flood the victim’s
resources.


If we were to use a group of computers, then the attack would
become a distributed denial of service attack, or DDoS.


The most common cure to the ping flood attack is
to
simply ban the IP address
from accessing your
network.


DoS: Ping of Death


The ping of death attack, or PoD, can cripple a network
based on a flaw in the TCP/IP system. The maximum size
for a packet is 65,535 bytes.


If one were to send a packet larger than that, the
receiving computer would ultimately crash from
confusion.

DoS: Ping of Death


Sending a ping of this size is against the rules of the
TCP/IP protocol, but hackers can bypass this by cleverly
sending the packets in fragments.


When the fragments are assembled on the receiving
computer, the overall packet size is too great.


This will cause a buffer over
-
flow and crash the device.

DoS: Ping of Death


Luckily, most devices created after 1998 are immune to
this kind of attack. If you are running a network with
outdated devices this will indeed be a possible threat to
your network. In this case, upgrade your devices if
possible.

DoS: Smurf Attack


When conducting a smurf attack, attackers will use spoof
their IP address to be the same as the victim’s IP address.


This will cause great confusion on the victim’s network,
and a
massive flood
of traffic will be sent to the victim’s
networking device, if done correctly.


DoS: Smurf Attack


Most firewalls protect against smurf attacks, but there are
several things you can do. If you have access to the router
your network or website is on, simply tell it to not
forward packets to broadcast addresses.


In a Cisco router, simply use the command:


no ip directed
-
broadcast.

DoS: Fraggle


A Fraggle attack is exactly the same as a smurf attack,
except that it uses the user datagram protocol, or UDP,
rather than TCP.


Fraggle attacks, like smurf attacks, are starting to become
outdated and are commonly stopped by most firewalls or
routers.


This attack is generally less powerful than the smurf
attack, since the TCP protocol is much more widely used
than the UDP protocol.

DoS: SYN Flood Attack


The SYN flood attack takes advantage of the TCP three
-
way handshake.


This method operates two separate ways.


Both methods attempt to start a three
-
way handshake,
but not complete it.

DoS: SYN Flood Attack

DoS: SYN Flood Attack


The first attack method can be achieved when the
attacker sends a synchronize request, or SYN, with a
spoofed IP address.


When the server tries to send back a SYN
-
ACK request,
or synchronize
-
acknowledge request, it will obviously not
get a response.


This means that the server never obtains the client’s ACK
request, and resources are left half
-
open.

DoS: SYN Flood Attack


Alternatively, the attacker can just choose to not send the
acknowledgement request. Both of these methods stall
the server, who is patiently waiting for the ACK request.


DoS: Teardrop


In the teardrop attack, packet fragments are sent in a
jumbled and confused order.


When the receiving device attempts to reassemble them,
it obviously won’t know how to handle the request.


Older versions of operating systems will simply just crash
when this occurs.


Operating systems such as Windows NT, Windows 95,
and even Linux versions prior to version 2.1.63 are
vulnerable to the teardrop attack.



DoS: DDoS


A distributed denial of service attack, or DDoS, is much
like the ping flood method, only multiple computers are
being used.


The computers that are being used may or may not be
aware of the fact that they are attacking a website or
network.


Trojans and viruses commonly give the hacker control of
a computer, and thus, the ability to use them for attack.


In this case the victim computers are called
zombies
.

DoS: DDoS

DoS: DDoS


A DDoS attack is very tough to overcome. The first thing to
do is to contact your hosting provider or internet service
provider, depending on what is under attack.


They will usually be able to filter out the bulk of the traffic
based on where it’s coming from. For more large
-
scale attacks,
you’ll have to become more creative.

DoS: DDoS


If you have access to your router, and are running a
Cisco brand, enter the following command into your
router command prompt:


No ip verify unicast reverse
-
path.


This will ensure that attackers can’t spoof their IP
address


Options in DDoS Prevention


Hire a security company to assess and repair the damage


Buy an intrusion detection system (IDS)


How Kerberos Authentication Works


If you are running Windows 2000 or later, you are indeed
running Kerberos by default.


Advantage of Kerberos: to help combat security concerns


FTP and Telnet use plaintext passwords. These passwords
are easy to intercept with the right tools.


Anyone with a simple packet sniffer and packet analyzer
can obtain an FTP or telnet logon with ease. With that
kind of sensitive information being transmitted, the need
for Kerberos is obvious.


Sure FTP and Telnet related logons are easy to intercept,
but then again so is every other connection any of your
applications has to the internet.

How Kerberos Authentication Works


Kerberos operates by encrypting data with a symmetric
key.


A symmetric key is a type of authentication where both
the client and server agree to use a single
encryption/decryption key for sending or receiving data.


When working with the encryption key, the details are
actually sent to a key distribution center, or KDC, instead
of sending the details directly between each computer.



8 steps to do this:

1.
The

authentication service
, or AS, receives the request by
the client and verifies that the client is indeed the computer
it claims to be

How Kerberos Authentication Works

2.
Upon verification, a

timestamp

is created. This puts the
current time in a user session, along with an expiration date.
The default expiration date of a timestamp is 8 hours. The
encryption key is then created. The timestamp ensures that
when 8 hours is up, the encryption key is useless.

3.

The key is sent back to the client in the form of a

ticket
-
granting ticket
, or TGT. This is a simple ticket that is issued
by the authentication service. It is used for authenticating the
client for future reference.

4.
The client submits the ticket
-
granting ticket to the

ticket
-
granting server
, or TGS, to get authenticated.

5.
The TGS creates an encrypted key with a timestamp, and
grants the client a service ticket.

How Kerberos Authentication Works

6.
The client decrypts the ticket, tells the TGS it has done so,
and then sends its own encrypted key to the service.

7.
The service decrypts the key, and makes sure the timestamp
is still valid. If it is, the service contacts the key distribution
center to receive a session that is returned to the client.

8.
The client decrypts the ticket. If the keys are still valid,
communication is initiated between client and server.


The client is authenticated until the session expires.